M0810: Out-of-Band Communications Channel
Analyst context for executives and security teams
Out-of-Band Communications Channel is an ICS resilience control: when primary OT communications are unavailable, blocked, or potentially untrustworthy, operators and responders need alternative ways to coordinate decisions. Its value is highest during loss or manipulation of control/view scenarios, where delayed or incorrect communication can affect operational continuity and cyber-physical safety decisions.
Executive priority
Treat this as a continuity and incident-command requirement, not just a technical backup. Leaders should ask whether critical operator, engineering, and response communications can continue during communication failures or data integrity attacks, and whether those methods are documented, exercised, and auditable. This supports resilience planning and compliance evidence, including the referenced NIST SP 800-53 Rev. 5 SC-37 context.
Technical view
SOC, OT, and IR teams should validate that out-of-band communication procedures exist for the ATT&CK relationships this mitigation addresses: Denial/Loss of Control, Denial/Loss/Manipulation of View, Adversary-in-the-Middle, Alarm Suppression, blocked OT messages, and blocked communications over serial COM, Ethernet, and Wi-Fi. Because MITRE provides no detection text for this mitigation, validation should focus on whether teams can recognize degraded communications and switch to approved alternate coordination paths without relying on the affected channel.
Likely telemetry
- OT communication health and availability indicators for command and reporting paths
- HMI/SCADA or control-system connectivity alarms and loss-of-view/loss-of-control events
- Alarm system status, including missing, delayed, or suppressed alarm conditions where monitored
- Network or device evidence of blocked communications across relevant OT communication paths
- Incident tickets, operator logs, shift logs, and exercise records showing when alternate communications were invoked
Detection direction
- Do not treat this mitigation as a detection rule; MITRE does not provide official detection guidance for M0810.
- Validate monitoring for symptoms that would trigger out-of-band procedures: blocked command messages, blocked reporting messages, communication failures, alarm disruption, and discrepancies between expected and reported process state.
- Tune operational alerts to distinguish maintenance, planned outages, and transient communication failures from suspicious denial, manipulation, or blocking behaviors.
- Confirm SOC and OT teams have escalation criteria for when the primary communications channel is considered unavailable or untrusted.
Mitigation priorities
- Identify critical communications required for safe operation, operator oversight, engineering support, and incident response.
- Define approved alternate communication methods for communication failures and data integrity attack scenarios.
- Exercise the procedures against the related ICS impact scenarios, especially loss of control/view, denial of control/view, blocked messages, and alarm suppression.
- Preserve evidence that procedures are maintained and tested for audit, resilience, and incident-readiness purposes.
- Ensure alternate methods do not depend on the same failed or untrusted communication path wherever the local architecture allows.
Analyst notes and limits
M0810 is an ICS ATT&CK course-of-action object, not an adversary behavior. Its decision value comes from the breadth of mitigated ICS techniques: it supports continuity when operators may lose control, lose visibility, receive manipulated information, miss alarms, or have OT messages blocked. The ATT&CK object is mapped to NIST SP 800-53 Rev. 5 SC-37.
The supplied ATT&CK object does not specify platforms, tactics, or official detection guidance. Local OT architecture, process safety requirements, communication dependencies, and response procedures are required to determine whether the mitigation is adequate.
Out-of-Band Communications Channel
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| ICS | T1695.001 | Serial COM Sub-technique | Ensure devices have an alternative method for communicating in the event that a valid COM port is unavailable. |
| ICS | T0815 | Denial of View | Provide operators with redundant, out-of-band communication to support monitoring and control of the operational processes, especially when recovering from a network outage CitationNational Institute of Standards and Technology April 2013. Out-of-band communication should utilize diverse systems and technologies to minimize common failure modes and vulnerabilities within the communications infrastructure. For example, wireless networks (e.g., 3G, 4G) can be used to provide diverse and redundant delivery of data. |
| ICS | T0813 | Denial of Control | Provide operators with redundant, out-of-band communication to support monitoring and control of the operational processes, especially when recovering from a network outage CitationNational Institute of Standards and Technology April 2013. Out-of-band communication should utilize diverse systems and technologies to minimize common failure modes and vulnerabilities within the communications infrastructure. For example, wireless networks (e.g., 3G, 4G) can be used to provide diverse and redundant delivery of data. |
| ICS | T1691.001 | Command Message Sub-technique | Provide an alternative method for sending critical command messages to outstations, this could include using radio/cell communication to send messages to a field technician that physically performs the control function. |
| ICS | T1691.002 | Reporting Message Sub-technique | Provide an alternative method for sending critical report messages to operators, this could include using radio/cell communication to obtain messages from field technicians that can locally obtain telemetry and status data. |
| ICS | T0831 | Manipulation of Control | Utilize out-of-band communication to validate the integrity of data from the primary channel. |
| ICS | T0830 | Adversary-in-the-Middle | Utilize out-of-band communication to validate the integrity of data from the primary channel. |
| ICS | T0826 | Loss of Availability | Provide operators with redundant, out-of-band communication to support monitoring and control of the operational processes, especially when recovering from a network outage CitationNational Institute of Standards and Technology April 2013. Out-of-band communication should utilize diverse systems and technologies to minimize common failure modes and vulnerabilities within the communications infrastructure. For example, wireless networks (e.g., 3G, 4G) can be used to provide diverse and redundant delivery of data. |
| ICS | T0832 | Manipulation of View | Utilize out-of-band communication to validate the integrity of data from the primary channel. |
| ICS | T1695.003 | Wi-Fi Sub-technique | Ensure systems and devices have an alternative method for communicating in the event that Wi-Fi communication channels become unavailable. |
| ICS | T1691 | Block Operational Technology Message | Provide an alternative method for sending critical commands message to outstations, this could include using radio/cell communication to send messages to a field technician that physically performs the control function. |
| ICS | T0827 | Loss of Control | Provide operators with redundant, out-of-band communication to support monitoring and control of the operational processes, especially when recovering from a network outage CitationNational Institute of Standards and Technology April 2013. Out-of-band communication should utilize diverse systems and technologies to minimize common failure modes and vulnerabilities within the communications infrastructure. For example, wireless networks (e.g., 3G, 4G) can be used to provide diverse and redundant delivery of data. |
| ICS | T1695 | Block Communications | Ensure systems and devices have an alternative method for communicating in the event that communication channels become unavailable. |
| ICS | T1695.002 | Ethernet Sub-technique | Ensure systems and devices have an alternative method for communicating in the event that Ethernet communication channels become unavailable. |
| ICS | T0878 | Alarm Suppression | Provide an alternative method for alarms to be reported in the event of a communication failure. |
| ICS | T0829 | Loss of View | Provide operators with redundant, out-of-band communication to support monitoring and control of the operational processes, especially when recovering from a network outage CitationNational Institute of Standards and Technology April 2013. Out-of-band communication should utilize diverse systems and technologies to minimize common failure modes and vulnerabilities within the communications infrastructure. For example, wireless networks (e.g., 3G, 4G) can be used to provide diverse and redundant delivery of data. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 423a9719af66… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
National Institute of Standards and Technology April 2013
National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17
Open source URL -
[2]
Defense Advanced Research Projects Agency
Defense Advanced Research Projects Agency National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 Rapid Attack Detection, Isolation and Characterization Systems (RADICS) Retrieved. 2020/09/17
Open source URL -
[3]
mitre-attack M0810Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.